this book are focused exclusively on offline code analysis, not on live analysis.
This means that you’ll primarily just read assembly language listings and try
to decipher them, as opposed to running programs in the debugger and step-
ping through them. Even though in many cases you’ll want to combine the
two approaches, I’ve decided to only use offline analysis (dead listing) because
it is easier to implement in the context of a written guide.
I could have described live debugging sessions throughout this book, but
they would have been very difficult to follow, because any minor environ-
mental difference (such as a different operating system version of even a dif-
ferent service pack) could create confusing differences between what you see
on the screen on what’s printed on the page. The benefit of using dead listings
is that you will be able to follow along everything I do just by reading the code
listings from the page and analyzing them with me.
In the next few chapters, you can expect to see quite a few longish, uncom-
mented assembly language code listings, followed by detailed explanations of
those listings. I have intentionally avoided commenting any of the code, because
that would be outright cheating. The whole point is that you will look at raw
assembly language code just as it will be presented to you in a real reversing ses-
sion, and try to extract the information you’re seeking from that code. I’ve made
these analysis sessions very detailed, so you can easily follow the comprehen-
sion process as it takes place.
The disassembled listings in this book were produced using more than one
disassembler, which makes sense considering that reversers rarely work with
just a single tool throughout an entire project. Generally speaking, most of the
code listings were produced using OllyDbg, which is one of the best freeware
reversing tools available (it’s actually distributed as shareware, but registra-
tion is performed free of charge—it’s just a formality). Even though OllyDbg is
a debugger, I find its internal disassembler quite powerful considering that it
is 100 percent free—it provides highly accurate disassembly, and its code analy-
sis engine is able to extract a decent amount of high-level information regard-
ing the disassembled code.
Locating Undocumented APIs
As I’ve already mentioned, in this chapter you will be taking a group of undoc-
umented Windows APIs and practicing your reversing skills on them. Before
introducing the specific APIs you will be working with, let’s take a quick look
at how I found those APIs and how it is generally possible to locate such
undocumented functions or APIs, regardless of whether they are part of the
operating system or of some other third-party library.
The next section describes the first steps in dealing with undocumented
code: how to find undocumented APIs and locate code that uses them.
Beyond the Documentation 143